Internal audits add value to the privacy program primarily though what?
A. Evaluating the effectiveness of the privacy program.
B. Remediating gaps in the privacy program noted by management.
C. Remediating gaps in the privacy program noted within audit reports.
D. Determining the applicability of certain privacy regulations to the organization.
The owner of an ice cream store has decided to begin accepting credit and debit cards for payment. To comply with industry standards, the owner will need to do which of the following?
A. Seek ISO 27001 certification.
B. Implement PCI data security controls.
C. Issue a privacy notice to store customers.
D. Use only vendor-supplied system passwords.
You are the Privacy Officer (PO) at a University. Recently, the police have contacted you as they suspect that one of your students is using a library computer to commit financial fraud. The police would like your assistance in investigating this individual and are requesting computer logs and usage data of the student. What is your first step in responding to the request?
A. Refuse the request as the police do not have a warrant.
B. Provide the data to police and record it for your own archives.
C. Contact the University's legal counsel to determine if the request is lawful.
D. Review policies, procedures and legislation to determine the University's obligation to co-operate with the police.
SCENARIO
Please use the following to answer the next question:
Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to several emails informing him that an individual cloud server failed due to a flood in its server
room, damaging its hardware and destroying all the data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was being stored there because it was not included
in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.
Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger cloud vendor three years ago. She also advised him that the account was mostly used by
Human Resources (HR) and Accounts Payable (AP). Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive personal data on that drive, including health
and financial related personal data and "other stuff." Jonathan also learns that the data stored in that account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and
learns that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data being stored there.
Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs. Two days later, the company receives 32 data subject access requests and Accounts Payable
confirms Jonathan's worry that these data subjects' personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.
Based on the scenario above, what is the most appropriate next step Jonathan should take?
A. Consult with the legal team to determine how to address the data subjects' requests and determine the risk of noncompliance.
B. Consult with other key stakeholders to create a presentation on the incident and lessons learned for the board of directors.
C. Consult with the public relations team to discuss potential brand impact of not responding to the data subjects' requests.
D. Consult with the IT team to understand how and why this cloud account was not disabled.
SCENARIO
Please use the following to answer the next question:
Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to several emails informing him that an individual cloud server failed due to a flood in its server
room, damaging its hardware and destroying all the data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was being stored there because it was not included
in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.
Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger cloud vendor three years ago. She also advised him that the account was mostly used by
Human Resources (HR) and Accounts Payable (AP). Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive personal data on that drive, including health
and financial related personal data and "other stuff." Jonathan also learns that the data stored in that account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and
learns that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data being stored there.
Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs. Two days later, the company receives 32 data subject access requests and Accounts Payable
confirms Jonathan's worry that these data subjects' personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.
Which step did Jonathan correctly determine most significantly contributed to the issue at hand?
A. Due diligence on the cloud provider that hosted the impacted account had not been performed.
B. Training and awareness around appropriate storage of sensitive personally identifiable data had not been performed.
C. This cloud account and the personal data stored there had not been accounted for in the data mapping or accounted for in the data inventory.
D. Specific instructions on backing up data to human resources and accounts payable had not been given to Human Resources and Accounts Payable.
Which of the following is a common disadvantage of a third-party audit?
A. It identifies weaknesses of internal controls.
B. It lends credibility to an internal audit program.
C. It requires a learning curve about the organization.
D. It provides a level of unbiased, expert recommendations.
SCENARIO
Please use the following to answer the next question:
Jonathan recently joined a healthcare payment processing solutions company as a senior privacy manager. One morning, Jonathan awakens to several emails informing him that an individual cloud server failed due to a flood in its server
room, damaging its hardware and destroying all the data the company had stored on that drive. Jonathan was not aware that the company had this particular cloud account or that any data was being stored there because it was not included
in the data mapping or data inventory provided to him by his predecessor. Jonathan's predecessor conducted a data inventory and mapping exercise 4 years ago and updated it on an annual basis.
Renee works in the sales department and tells Jonathan that she doesn't think that account had been used since the company moved to a bigger cloud vendor three years ago. She also advised him that the account was mostly used by
Human Resources (HR) and Accounts Payable (AP). Jonathan speaks to both departments and learns that each had met with his predecessor multiple times and explained they saved sensitive personal data on that drive, including health
and financial related personal data and "other stuff." Jonathan also learns that the data stored in that account was not backed up pursuant to company policy. Jonathan asks his IT department who had access to that particular account and
learns that there were no access controls in place, making the account available to anyone in the company, despite the purported sensitivity of the data being stored there.
Jonathan is panicking as the data can't be recovered, and he can't determine exactly what data was saved on that account or to whom it belongs. Two days later, the company receives 32 data subject access requests and Accounts Payable
confirms Jonathan's worry that these data subjects' personal data was likely stored on this account. He searches for the company's data subject access request policy, but later learns it doesn't exist.
Jonathan wants to formalize monitoring to prevent a similar issue from happening again. What scope of monitoring would be most useful?
A. Monitoring compliance with data mapping and disaster recovery.
B. Monitoring new privacy legislation and industry standards for information security.
C. Monitoring the vulnerabilities across environments containing sensitive personal data.
D. Monitoring of vendor contracts to ensure security controls are systematically addressed.
Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational lifecycle?
A. Respond.
B. Assess.
C. Protect.
D. Sustain.
Which item below best represents how a Privacy Group can effectively communicate with functional areas?
A. Rely solely on items from work units for constructing an impact assessment.
B. Work closely with functional areas by acting as both an advisor and advocate.
C. Focus attention on Directors and Senior Managers as they are responsible for the work.
D. Choose a work unit representative and funnel all communications through that one person.
What is the most secure standard for disposition of a hard drive containing personal data?
A. Degaussing.
B. Formatting.
C. Decryption.
D. Recycling.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPM exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.